OpenStage IEEE 802.1x Configuration Management Administrator Documentation Issue 6
OpenStage IEEE 802.1x Configuration Management Administrator Documentation Issue 6
OpenStage IEEE 802.1x Configuration Management Administrator Documentation Issue 6
IEEE 802.1x
Configuration Management
Administration Manual
A31003-J4200-M100-6-76A9
bkTOC.fm
Contents
Contents
0-1
bkTOC.fm
Contents
bkTOC.fm
Contents
12
13
13
15
19
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
0-3
bkTOC.fm
Contents
0-4
c01.fm
1.1
Introduction
1.1.1
What is 802.1x?
1.1.2
1.1.3
All enterprises who want to prevent unauthorized devices from accessing the company
network.
Economic aspects have to be taken into consideration:
ease of mobility within the network;
flexible office;
project teams that only cooperate for certain periods of time;
guest accounts in the network, e.g. business partners;
as well as administrative aspects:
assignment of network resources;
business management applications (e.g. SAP);
rules-based administration of groups.
1-1
c01.fm
1.2
802.1x Authentication is done using digital certificates and EAP-TLS via a RADIUS Server.
Initial State / Preparation / Deployment
The switch only allows access to the telephone management tool (DLS).
The telephone only "sees" the DLS (the DLS takes care of the IP address) and is not registered at any proxy.
The telephone is not logged on to the customer network.
The DLS server downloads the certificates generated in the CA (trust center) onto the
telephone (user certificate and server certificate).
Entity
(SuppliKant)
EAPOL
RADIUS
Switch
(Authentifikator)
Radius-Server
(AuthentifizierungsServer)
1-2
c01.fm
In case of a positive result of the certificate comparison, the Radius server sends a success
message to the Layer 2 switch.
The Layer 2 switch releases the switch port to which the authenticated devices are connected.
Entity
(Authenticator)
RADIUS Server
2. EAPoL Start
3. EAP Request/Identity
4. EAP Response/Identity
5. EAP Request
6. EAP Response
7. EAP Success
The port to the user system is in unauthorized status, i.e. network access is refused.
2.
1-3
c01.fm
The "normal" EAP exchange begins when the authenticator sends an EAP request/identity
packet.
4.
The Entity then responds with an EAP response/identity which is forwarded by the authenticator as a RADIUS access request.
5.
The RADIUS server responds with a RADIUS access challenge packet, which is transmitted by the authenticator to the user system using a suitable protocol with all necessary data.
6.
This then sends the data entered by the user back to the authenticator as an EAP response. The authenticator then packs and forwards the results data in the data field of a
RADIUS access request.
7.
The RADIUS server approves access with a RADIUS access accept after which the authenticator sends an EAP success to the Entity and sets the port to authorized status.
The Entity is authorized to use the network and can access the network.
8.
If for example the PC is disconnected from the Entity, it sends an EAPoL logoff to the
authenticator which in turn resets the ports for the PC to unauthorized so that an unknown
device cannot be connected.
>
1-4
The user system does not necessarily have to send an EAPoL start message. The
authenticator can send an EAP request/identity to update the authentication data.
c01.fm
1.3
1.3.1
Connection overview
802.1X was first introduced for wireless devices to secure the access and data via an access
points to a local area network (LAN). The same standard is used to secure access of wired devices via an access switch to a LAN.
An IP phone for example OP410/420 uses the protocol EAPOL respectively EAP-TLS,
which is a certificate based authentication.
This certificate based authentication ( EAP-TLS) is much more secure than the other methods and matches also the requirement of a device like a phone or a PC.
IEEE 802.1x
Security for IP networks connectivity
1-5
c01.fm
1.3.2
Radius Server
Asset DB
1. The IP phone (supplicant) is
(e.g. Meta Directory)
connected to the LAN and is blo-
1
2
Important:
The LAN switch must support
"multi-domain" autentication on the
switch port
D LS
PKI
1-6
c01.fm
2.
1-7
c01.fm
Overview EAP-TLS
The figure below shows the data flow between IEEE 802.1x components during an EAP-TLSbased authentication.
IP Phone
Access Switch
RADIUS Server
EAPOL-Start
EAP-Request/
Identity
EAP-Response/
Identity = optiClient
RADIUS Access-Request/
EAP-Message/EAP-Response/
Identity= optiClient
EAP-Request/
EAP-Type=EAP-TLS
(TLS Start, S bit set)
EAP-Response/
EAP-TYPE=EAP-TLS
(TLS client_hello)
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-TYPE=EAP-TLS
(TLS client_hello)
EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
TLS server_key_exchange,
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-TYPE=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished)
RADIUS Access-Challenge/
EAP-Message/EAP-Request/
EAP-TYPE=EAP-TLS
RADIUS Access-Challenge/
EAP-Message/EAP-Request/
EAP-TYPE=EAP-TLS
(TLS server_hello,
TLS certificate,
TLS server_key_exchange,
TLS certificate_request.
TLS server_hello_done)
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-TYPE=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished)
EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec
TLS finished)
RADIUS Access-Challenge/
EAP-Message/EAP-Request/
EAP-TYPE=EAP-TLS
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-TYPE=EAP-TLS
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-TYPE=EAP-TLS
EAP-Success
1-8
RADIUS Access-Accept/
EAP-Message/EAP-Success
(other attributes)
c01.fm
1.3.3
IP phones
All versions of optiPoint HFA with firmware V5 R4.2.0 or later
All versions of optiPoint SIP V6 with firmware V6 R2.67.0 or later
All versions of optiPoint SIP V7 with firmware V7 R0.9.0 or later
The following versions apply if EAPOL-Logoff with 802.1x is not activated or there are
no certificates on the phone
All versions of optiPoint HFA with firmware V5 R4.6.0 or later
All versions of optiPoint V7 with firmware V7 R1.3.0 or later
OpenStage 20, 40 and OpenStage 60/80 AB Software Release V1 R3.2.15 (FP 4.3)
and V0 R7.10,138 (FP 4.4)
Access Switch, which supports 802.1X
Cisco Catalyst 3560
ProCurve Switch 3500yl (HP)
Enterasys Matrix N1 Platinum
Nortel
Huawei
Necessary environment
among others
RADIUS Server which supports EAP-TLS
IAS
Cisco Radius
Cisco ACS
FreeRadius
among others
Public Key Infrastructure (PKI) including a Certificate Services CA (CA) which can create
and distribute certificates to the RADIUS and Deployment Server (DLS).
1-9
c01.fm
1.3.4
Secondary documentation
The following table lists some references you may find useful. The IEEE standard is fairly readable. The RFC's are also fairly clearly written.
IEEE 802.1x standard document
EAP standard, RFC 2284
EAP TLS, RFC 2716
One-Time Password, RFC 1938
EAP: IETF draft search page
RADIUS, RFC 2865
RADIUS Accounting, RFC 2866
RADIUS Tunneling Attributes support, RFCs 2867
RADIUS Tunneling Attributes support, RFCs 2868
RADIUS Extensions, RFC 2869
RADIUS Support for EAP, RFC 3579
1-10
c02.fm
2.1
Installation Overview
The RADIUS server can be installed as a Linux or Windows Server 2003 solution. A computer with a Windows Server 2003 Enterprise version is used with the necessary administration
tools for the Microsoft solution.
You can also use Flow chart to the introduction of IEEE 802.1x to branch to the descriptions
of the individual installation steps.
2.1.1
2-1
c02.fm
2.1.2
2-2
c02.fm
2.1.3
2.1.4
2-3
c02.fm
2.2
D oes
th e c u s to m e r
a lr e a d y h a v e
c e r t if ic a te s ?
N o
Y es
C o n fig u r e IA S ?
N o
N o
In s ta ll A c tiv e
D ir e c to r y
Y es
C o n f ig u r e
C IS C O A C S ?
Y es
Is A c tiv e D ir e c to r y
a lr e a d y a v a ila b le ?
Y es
In s ta ll O p e n S S L fo r
W in d o w s a n d
g e n e r a te c e r tific a te
c h a in
In s ta ll C is c o A C S
c o n fig u r a tio n
p ro g ra m a n d
c o n fig u r e C is c o A C S
N o
C o n fig u r e F r e e
R A D IU S
Y es
N o
In s ta ll O p e n S S L
L in u x
In s ta ll In te r n e t
In fo r m a tio n S e r v ic e s
(IIS )
In s ta ll c e r tific a tio n
s e r v ic e s
In s ta ll In te r n e t
A u t h e n t if ic a t io n
S e r v ic e ( IA S )
I n s t a ll F r e e R A D I U S
fo r L IN U X
C re a te a u s e r
a c c o u n t in th e A c tiv e
D ir e c to r y
C o n f ig u r e a n d e x p o r t
c e r tific a te s ; C o n fig u r e
F re e R A D IU S S e rv e r
fo r L IN U X
C e r tific a te h a n d o v e r
b y t h e c lie n t
C o n fig u r e o th e r
R A D IU S ?
Y es
In s ta ll a n o th e r
R A D IU S
C o n fig u r e IA S a c c e s s
r ig h ts fo r th e
A u th e n tic a to r
( S w itc h )
C o n fig u r e c e r tific a te s
u n d e r W in d o w s X P
a n d e x p o rt th e
c e r t if ic a t e s
N o
End
A ll n e c e s s a r y c e r tific a te s a r e a v a ila b le :
S e r v e r c e r t if ic a t e , C lie n t c e r t ific a t e
Im p o r t c e r t if ic a t e s t o
D LS
P lu g a n d P la y w ith
c e r tific a te
R e b o o t th e te le p h o n e
2-4
c02.fm
No
No
C a n t h e te le p h o n e
c o n n e c t to D L S ?
A s k th e n e tw o rk
a d m in is tr a to r fo r
guest V LA N access
Yes
No
Yes
Yes
V L A N - I D r e c e iv e d ?
P lu g a n d P la y w it h
c e r t if ic a t e
R e b o o t th e te le p h o n e
W as EAP
s u c c e s s fu l?
No
P o r t is c lo s e d ;
N e tw o r k p r o b le m ;
N o c o n n e c t io n t o
R A D IU S ; C e r tific a te s
n o t v a lid
End
S IP tr a c e a n d fa u lt
r e p a ir
End
Yes
W a s S IP
r e g is t r a t io n
s u c c e s s fu l?
No
Yes
End
2-5
c02.fm
2.3
www.missl.cs.umd.edu/wireless/eaptls
2.
www.freeradius.org/doc/EAPTLS.pdf
3.
www.denobula.com
These papers provide an excellent background, but are somewhat out of date. Where appropriate, I will simply refer to these documents rather than repeating the information. I recommend that you follow the steps I give below rather than the steps in these documents.
In the steps below, I give examples from the FreeRADIUS server that I installed yesterday in
my Red Hat 9 computer. If you follow this example, please make the needed changes to the
names of the files. I installed the FreeRADIUS and OpenSSL files in special local directories.
This ensures that there is no interaction between the base Linux files and the new files. It also
allows you to easily remove all of the newly installed files.
>
One word of caution: Be prepared for unforeseen events when using trial versions
of FreeRADIUS and OpenSSL or if they come from "beta" software versions. Do not
be surprised if you encounter problems.
2.3.1
2.3.1.1
Download OpenSSL
You first have to download the latest stable released version of OpenSSL (OpenSSL-0.9.7).
Save the software in a home directory. You can download the current version from the following
FTP directory:
ftp://ftp.openssl.org/snapshot/
2-6
c02.fm
Install OpenSSL
mkdir -p /usr/src/802/openssl
cd /usr/src/802/openssl
cp /home/jbibe/openssl-0.9.7-stable-SNAP-20040202.tar.gz \
openssl-0.9.7-stable-SNAP-20040202.tar.gz
gunzip openssl-0.9.7-stable-SNAP-20040202.tar.gz
tar xvf openssl-0.9.7-stable-SNAP-20040202.tar
cd openssl-0.9.7-stable-SNAP-20040202
./config shared --prefix=/usr/local/openssl
make
make install
When you perform the config, make, and make-install here and in the FreeRADIUS install described below, I recommend that you log the information. For example, instead of using the
simple "make" command, use:
If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log) for
errors.
This completes the work with OpenSSL, except for building the required certificates.
2.3.2
2.3.2.1
Download FreeRADIUS
The first step is to download and install the latest snapshot versions of FreeRADIUS
http://www.freeradius.org/
2.3.2.2
Install FreeRADIUS
First possibility
#
#
#
#
cd /usr/local/src
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz
tar zxfv freeradius-1.0.0.tar.gz
cd freeradius-1.0.0
2-7
c02.fm
2.
You can pass options to configure. Use ./configure --help or read the README file, for
more information.
When you perform the config, make, and make-install here and in the FreeRADIUS install
described below, I recommend that you log the information. For example, instead of using
the simple "make" command, use:
make > maymake.log 2>&1
If you encounter problems, you can review mymake.log (or myconfig.log, or myinstall.log)
for errors.
The binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files
are found under /usr/local/etc/raddb.
If something went wrong, check the INSTALL and README included with the source. The
RADIUS FAQ also contains valuable information.
Second possibility
Download ftp.freeradius.org/pub/radius/CVS-snapshots
Use the following nine steps
mkdir -p /usr/src/802/radius
cd /usr/src/802/radius
cp /home/jbibe/freeradius-snapshot-20040203.tar.gz \
freeradius-snapshot-20040203.tar.gz
gunzip freeradius-snapshot-20040203.tar.gz
tar xvf freeradius-snapshot-20040203.tar
cd freeradius-snapshot-20040203
./configure --with-openssl-includes=/usr/local/openssl/include \
--with-openssl-libraries=/usr/local/openssl/lib \
--prefix=/usr/local/radius
make
make install
2-8
c02.fm
2.3.3
>
When using EAP-TLS, both the Authentication Server and all the Supplicants (clients)
need certificates[RFC2459] .
Using EAP-TTLS or PEAP, only the Authentication Server requires certificates; Supplicant
certificates are optional.
You get certificates from the Certificate Authority (CA). If there is no local CA available,
OpenSSL may be used to generate self-signed certificates.
Included with the FreeRADIUS source are some helper scripts to generate self-signed certificates. The scripts are located under the scripts/ folder included with the FreeRADIUS source:
CA.all is a shell script that generates certificates based on some questions it ask.
>
The scripts uses a Perl script called CA.pl, included with OpenSSL. The path to this
Perl script in CA.all and CA.certs may need to be changed to make it work.
More information on how to generate your own certificates can be found in the SSL
certificates HOWTO.
Server and client certificates are needed for TLS and PEAP. To produce the required certificates, I recommend that you use CA.all that is included with FreeRADIUS. CA.all uses the
configuration information in openssl.cnf.
1.
openssl.cnf Update openssl.cnf for your configuration. The configuration file is located at:
/usr/local/openssl/ssl
A portion of the information from my openssl.cnf is given below. (The company information
is does not describe an actual company located in Brentwood, TN.) Note that the configuration information includes the password "whatever". It is the certificate password.
When CA.all executes, it uses this information three times. The first pass through this
information produces the root certificates. If you set up your configuration as shown below,
you will be able to accept all of the settings in the first pass. The second pass through this
2-9
c02.fm
2-10
c02.fm
2.
CA.all -- Update the CA.all script for your requirements. The file is located at:
/usr/src/802/radius/freeradius-snapshot-20040203/scripts
If you use the default password "whatever", you only need to verify that the path in the
script points to the installed openssl information. No changes should be necessary, but
there is one gotcha. At about line 30, the path will probably be in error. Look for the following line and update the path as needed
echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca
For TLS and PEAP, the server needs root.pem and cert-srv.pem.
For TLS, the Windows XP client needs root.der and cert-clt.p12.
For PEAP, the Windows XP client needs root.der.
2-11
c02.fm
2.3.4
There are only a few changes and additions needed for TLS authentication. The clients.conf, users und radiusd.conf are located at:
/usr/local/radius/etc/raddb
1.
clients.conf -- This file contains the basic configuration for the Access Point. Look for
the following line then uncomment and modify as appropriate:
#client 192.168.0.0/24 {
client 192.168.1.0/24 {
secret = AP_Shared_Secret
shortname = WLAN
}
2.
users This file contains the basic user information. Look for the following line and then
add the user name:
#"John Doe" Auth-Type := Local, User-Password == "hello"
#
jbibe
>
3.
Note that for TLS, you should not include an Auth-Type or a password. The server
is able to determine the correct Auth-Type, and a password is not needed because
the client uses a client certificate for authentication.
radiusd.conf This file contains the server configuration information. Look for the following lines and then change the default_eap_type from md5 to tls:
eap {
default_eap_type = md5
Change md5 to tls.
Move down to the following line, and then uncomment and modify the information, as
shown below:
>
2-12
Note that the the server certificates, dh file and random file are placed in a new directory 1x on the system. Modify the path as needed for your server.
c02.fm
#tls {
tls {
private_key_password = whatever
private_key_file = /usr/local/radius/etc/1x/cert-srv.pem
certificate_file = /usr/local/radius/etc/1x/cert-srv.pem
CA_file = /usr/local/radius/etc/1x/root.pem
dh_file = /usr/local/radius/etc/1x/dh
random_file = /usr/local/radius/etc/1x/random
fragment_size = 1024
include_length = yes
}
No other changes are needed in radiusd.conffor TLS.
4.
Server Certificates, DH File, and Random File a new directory was added 1x in the
radius etc directory, and then the server certificates were copied (root.pem and certsrv.pem) into the directory. Finally, the following trick was used to produce dh and random:
date > dh
date > random
If you prefer, use your keyboard to enter some random characters in these files. Or even
better, use the OpenSSL tools to produce the random information for these files.
5.
Run-Radius The only server addition remaining is wrapper for radiusd. A new file runradius was added in the /usr/local/radius/sbin directory.
----- Wrapper Script -----------------------------------#!/bin/sh -x
LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_PRELOAD
/usr/local/radius/sbin/radiusd $@
---------------------------------------------------------
2-13
c02.fm
2.3.5
Certificate extension
2-14
c02.fm
Example:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=GB, ST=Surrey, O=Best CA Ltd,
OU=Class 1 Public Primary Certification Authority,
CN=Best CA Ltd
Validity
Not Before: Feb 5 19:50:16 2000 GMT
Not After : Feb 4 19:50:16 2001 GMT
Subject: C=GB, ST=Surrey, O=Best CA Ltd,
OU=Class 1 Public Primary Certification Authority,
CN=Best CA Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:dd:3c:f6:9a:be:d2:66:20:0c:7d:0c:ae:bc:18:
cc:f4:e8:89:8d:16:b3:5c:16:75:06:33:f9:08:4f:
d6:9b:f4:6b:e7:4d:0f:44:af:8b:87:dc:79:78:93:
e8:e4:20:19:df:f0:0d:04:4d:2c:4c:ad:19:b0:31:
8c:6a:4d:a6:d6:0e:e8:ae:e2:37:75:8d:d5:1e:a2:
31:15:3c:f4:4d:ad:5d:f8:d0:23:c2:72:de:e2:73:
9b:ef:f7:84:25:b0:cf:92:4d:39:4a:18:41:ac:91:
81:28:ac:5b:f2:7d:74:e2:8f:f9:a7:c1:c0:b1:93:
dd:cd:b1:4c:23:23:63:27:30:4c:da:8e:72:e4:0d:
77:c2:22:e2:b4:43:bb:9d:ca:36:59:fc:98:91:0c:
da:c4:2c:34:03:0c:e5:91:51:e2:23:20:ae:68:5e:
30:8f:9e:f5:a5:2c:e4:bf:ab:2f:fb:82:03:31:b4:
ff:5e:90:a8:f0:be:b0:4d:aa:f3:af:2c:27:42:c8:
7e:7a:d2:c3:e8:5b:53:8d:86:db:ae:f6:7c:45:03:
35:b6:52:9d:a0:c1:e0:da:ac:6b:68:05:7e:f8:73:
41:62:63:56:b3:47:6e:11:d8:d4:6c:92:be:65:aa:
f2:a5:72:3d:4e:d9:d2:e2:8d:42:92:3e:cf:39:f9:
63:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
3C:BA:B3:02:44:B6:18:30:75:0A:53:90:24:22:\
22. Januar 2010
IEEE 802.1x Configuration Management, Administration Manual
2-15
c02.fm
9F:4D:24:72:70:E5
X509v3 Authority Key Identifier:
keyid:3C:BA:B3:02:44:B6:18:30:75:0A:53:90:\
24:22:9F:4D:24:72:70:E5
DirName:/C=GB/ST=Some-State/O=Best CA Ltd/\
OU=Class 1 Public Primary Certification
Authority/CN=Best CA Ltd
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
b5:b9:80:5c:b1:29:dc:c0:03:db:28:c8:a3:08:30:ac:41:ea:
fb:ef:60:b6:b9:ca:57:c5:05:04:fc:2d:29:59:69:ba:80:39:
30:77:90:f4:0d:23:03:25:1a:95:ff:07:a8:67:8c:02:e8:1e:
f7:7f:96:06:3e:7e:90:99:b2:e1:19:81:da:5c:97:92:0f:a2:
ab:5d:ca:0e:c0:b7:52:68:69:89:62:c9:4b:29:90:77:64:80:
c4:a7:4c:18:4c:68:60:b5:e6:fa:24:58:93:b6:72:ef:5c:9b:
a0:3a:c7:f6:c5:da:d8:7c:f0:a2:20:1e:e0:04:c0:15:ec:6c:
dd:73:85:6c:a5:2e:a5:8e:b0:21:6e:28:9a:c1:d0:62:42:54:
26:b0:17:85:cf:d2:64:17:89:c3:99:94:cf:0d:bd:e5:f0:1a:
06:37:ea:8c:6b:9e:98:22:df:2e:9d:ad:a0:63:89:76:3b:ff:
e8:9f:cf:2b:e4:85:89:96:6d:4b:d2:80:3c:7b:87:d1:db:2a:
c1:1d:71:7a:d1:fe:36:59:a7:6c:19:e1:4a:93:23:6b:c0:68:
bf:ee:f4:0c:7d:77:46:b1:1a:d7:34:64:46:9d:7f:af:58:36:
77:ff:35:88:d2:3a:03:b4:29:0d:9e:a1:29:56:78:60:fe:00:
15:98:7a:17
2-16
c02.fm
2.4
This document describes how to install a completely new server. If you are using an exisiting
server, the dialog boxes can be different to those described here.
2.4.1
The Active Directory is an essential part of the Windows security model and holds the majority
of the security information, e. g.:
security policies.
This feature particularly prevents unauthorized access to the system. Trust levels between the
domains determine how resources may be accessed across domain boundaries. Security policies (e.g. limitation of the number of logon attempts, requests to change user passwords periodically) are system directives according to which resources are made available. The availability of the Active Directory is assured by the cooperation of all domain controllers set up in a
Windows domain.
For more information about use and properties of the Active Directory please refer to detailed
documentation available through relevant sources (e.g. search in Google).
The sample installation in the following section comprises all necessary steps. The Active Directory can be installed using the default options:
Start | Run... | Open : dcpromo.exe
2-17
c02.fm
2-18
c02.fm
2-19
c02.fm
2-20
c02.fm
2-21
c02.fm
2-22
c02.fm
2-23
c02.fm
2-24
c02.fm
2-25
c02.fm
2.4.2
Internet Information Services provide the Web server, mail server and news server for the Windows Server operating system (in this case Windows Server 2003). IIS must be installed before
you install the certification service ( Page 28).
Select Control Panel, Add or Remove Programs, and Add/Remove Windows Components. Highlight Application Server and click on Details....
Make sure that Internet Information Services (IIS) is highlighted, click OK and then Next.
Keep the Windows Server 2003 CD handy so you can insert it into the drive when prompted.
2-26
c02.fm
The Information Services are installed. Click Finish in the next dialog to complete the installation.
2-27
c02.fm
2.4.3
If the Certificate Services ( Certificate Authority or CA) were not installed during the server
installation, you have to install it using Windows Setup. Select Add or Remove Programs and
Add/Remove Windows Components, go to Certificate Services and Details... and install
the Certificate Services CA.
2-28
c02.fm
CA of the organization
Enterprise root CA
Enterprise subordinate CA
Stand-alone certificate authority
Stand-alone root CA
Stand-alone subordinate CA
Select Enterprise root CA. This is the most trustworthy CA. It should be installed before any
other CA in the network and requires the Active Directory. You have to mark Use custom settings to generate the key pair and CA certificate.Click Next.
2-29
c02.fm
Certificates are issued by certificate authorities. If a user requests a certificate, the certificate
authority verifies the user specifications based on fixed guidelines. If the verification is successful, the certificate authority generates a key pair and signs it with its own private key.
2-30
c02.fm
Enter the path names or accept the presets for the locations where the certificate database and
database log are to be stored. Additionally you can store the configuration information in a
shared folder. Click Next.
2-31
c02.fm
Setup is executing the the configuration changes you requested. The ISS have to be stopped
temporarily. Confirm the request by clicking Yes.
2-32
c02.fm
Confirm the request for the enabling the "Active Server Pages" by clicking Yes.
2-33
c02.fm
2-34
c02.fm
2.4.4
The Internet authentication service is a RADIUS server. IAS supports a wide range of authentication protocols. The following protocols, for instance, are supported:
2-35
c02.fm
Make sure that "Internet Authentication Service (IAS)" is highlighted, click OK and then
Next.
2-36
c02.fm
2-37
c02.fm
2.4.5
2-38
c02.fm
Creating Users
2-39
c02.fm
Enter all necessary user data. The certificates contain the name in the field "full name" and not
the "User logon name".
2-40
c02.fm
Enter a new password and confirm it. The password must comply with the password policies
as otherwise the request to create a new user is rejected. The following options should be
checked:
The password will be used for login during the creation of the certificate. Confirm by clicking
Next. Confirm the next dialog by clicking Finish to create the new user.
2-41
c02.fm
Select the new user from the list to specify the Properties.
2-42
c02.fm
Select the Dial-in tab and highlight Allow access. Confirm by clicking OK.
2-43
c02.fm
Creating a Group
A group can be assigned several users who then have the same group properties.
2-44
c02.fm
2-45
c02.fm
Right-click on the new group and select Properties. Select the Members tab and click on
Add.... Enter the object name to be used. Test the name including the domain for validity by
clicking on Check Names. Confirm by clicking OK.
2-46
c02.fm
2-47
c02.fm
2.4.6
The Authenticator (Switch) has to be entered in the IAS. . Before you can assign access
rights, you must enter the Authenticator in the DNS. The DNS does not necessarily need to
be on the same server.
2-48
c02.fm
Right-click on the Trust domain and select New Host (A)... . The following dialog is displayed:
2-49
c02.fm
Enter the name and IP address of the Authenticator (ENTERSASYS, Switch). Click on Add
Host. The creation of the new host is confirmed. Click OK and then Done.
2-50
c02.fm
2-51
c02.fm
The Authenticator has to be set up as a new RADIUS client. Select Start, Administrative
Tools and then Internet Authentication Service.
2-52
c02.fm
Enter the name of the RADIUS client and use the Resolve button in the Verify... dialog to
check whether the IP address exists for the name specified. Click on Next.
2-53
c02.fm
The client vendor should be RADIUS Standard. The password must be identical to the password of the Authenticator (CISCO or ENTERSASYS).
2-54
c02.fm
2-55
c02.fm
Right-click on Remote Access Policies and select New to create a new Remote Access Policy.
2-56
c02.fm
2-57
c02.fm
2-58
c02.fm
Click Add... in the User or Group Access dialog. The Select Groups dialog is displayed. Enter the group name and click on Check Names. If the name is valid, it is underlined and shows
the link to the group in the Active Directory (see Section 2.4.5.3). Click OK and then Next. The
following dialog is displayed:
2-59
c02.fm
Select the Group option and confirm the selected goup by clicking on Next.
2-60
c02.fm
2-61
c02.fm
2-62
c02.fm
NAS-Port-Type matches "Ethernet" AND is selected. Click on Edit Profile..... The following
dialog is displayed:
2-63
c02.fm
Select the Authentication tab and click on EAP Methods. The following dialog is displayed:
Smart Card or other certificate is selected. Click on Edit.... The following dialog is displayed:
2-64
c02.fm
Select the certificate issued before (has to match the certification) and confirm all dialogs by
clicking on OK.
2-65
c02.fm
2.4.7
Enter e.g. the user name and password you have created on Page 38 .
2-66
c02.fm
2-67
c02.fm
Click on the line install this CA certification chain (Certificate Authority or CA).
2-68
c02.fm
2-69
c02.fm
Select Control Panel and then Internet Options. Select the Content tab and click on the Certificates... button. Select the Trusted Root Certification Authorities tab.
The certificate chain added before is displayed in the list of stored certificates.
2.4.7.3
To continue using the certificate, it is exported via the certificate export wizard and saved as a
file. You need the saved server certificate later to import into the phones using . The name under DLS for this certificate is RADIUS Server CA Certificate 1(2).. At present, the second Radius Server CA certificate cannot be entered in the OpenStage telephone.
2-70
c02.fm
Click on Home or if you are not yet or no longer logged on as an authorized user, call the Certification Authority Service and log on (see Page 67). The following dialog is displayed:
2-71
c02.fm
2-72
c02.fm
Leave the settings unchanged and click on use the Advanced Certificate Request form.
2-73
c02.fm
Select User as Certificate Template. Check the option Mark keys as exportable. Next, click
on Submit. The request is generated.
2-74
c02.fm
2-75
c02.fm
2-76
c02.fm
Check whether the certificate is stored correctly. Select Control Panel and then Internet Options. Select the Content tab and click on the Certificates... button. Select the My Certificates tab.
2-77
c02.fm
Using the Certificate Export Wizard the certificate can be exported and saved as a file for later
use. Click on the Export... button. The Wizard starts:
Click on Next.
2-78
c02.fm
Enter a password and cormfirm. This password will be used for import to DLS remember implicitly.
2-79
c02.fm
Find the location of the file with the filename.pfx in the line File Name. Click on Finish. The
name under DLS for this certificate is Phone Certificate.
2-80
c02.fm
2.5
ACS is CISCOs Radius Server and features a graphical user interface for configuration and
administration.
2.5.1
Before you can configure certificates, you must generate them, for instance, using OPEN SSL
Windows. To do this, download the latest version of OpenSSL Light for Windows from the Internet (e.g., http://www.slproweb.com/products/Win32OpenSSL.html) and install it.
2.5.1.1
First generate a key pair for the certificate authority (CA). Create a
root certificate key (ca.key) for this and then create the
All further inputs are made in this window. Note that all inputs are case-sensitive.
Creating the root certificate key
Enter the following command:
genrsa -aes256 -out ca.key 2048
Enter and confirm a password when prompted for the "pass phrase". Be sure to make note of
this password as you will need it later. The root certificate key ca.key is created.
22. Januar 2010
IEEE 802.1x Configuration Management, Administration Manual
2-81
c02.fm
Now create the server certificate request and the server certificate key. Create a CRL (Certificate Revocation List) to prevent the deployment of duplicate certificates.
Create the index.txt file with an editor and the content 01.
Enter the following command to create a root certificate request for the servers key:
req -new -newkey rsa:1024 -out servercert.csr -nodes -keyout servercert.key -days 3650
Answer the relevant questions with rational values. Assign a "challenge password" and an optional company name, such as siemens-sen. Two files are created with the names servercert.csr and servercert.key.
Enter the following command to create a server certificate:
x509 -req -in servercert.csr -out servercert.crt -CA ca.crt -CAkey ca.key CAserial index.txt -days 3650
Enter the password already created. A server certificate servercert.crt is created.
2-82
c02.fm
You can now create the pairs for the clients. To do this, start by generating the certificate request and the certificate key and finally generate the certificate.
Client certificate request and key
Enter the following command:
req -new -newkey rsa:1024 -out phonecert.csr -nodes -keyout phonecert.key days 3650
Answer the relevant questions with rational values. Assign a "challenge password" and an optional company name, such as siemens-sen. Two files are created with the names
phonecert.csr and phonecert.key.
Client certificate
Enter the following command:
x509 -req -in phonecert.csr -out phonecert.crt -CA ca.crt -CAkey ca.key CAserial index.txt -days 3650
Enter the password already created. The client certificate phonecert.crt was created.
If you want to password-protect the key on the client side, then leave out the -nodes parameter
in the first call.
2.5.1.4
ca.key
ca.crt
root certificate
servercert.csr
servercert.key
servercert.crt
phonecert.csr
phonecert.key
phonecert.crt
2-83
c02.fm
2.5.2
Installing ACS
Make sure you are running an up-to-date version of the program. A later version than the one
described here (version 4.2) may differ in terms of layout and sequence. You can obtain the
program CD directly from CISCO or you can download it from the vendors Web site. If the setup program does not start automatically, run it from the CD or the relevant storage location.
The first mask appears:
Ensure that the requirements listed are met. Do not click Next until all conditions are marked
as complete.
We recommend Cisco Switch IOS 12.2 (40) or later as the version for the requirement "Any
Cisco IOS AAA clients are running Cisco IOS release 11.1 or later".
2-84
c02.fm
2-85
c02.fm
You can define the display options now or later. We recommend marking all options straight
away. Click Explain if you want to see an explanation of the options. Click Next.
2-86
c02.fm
2-87
c02.fm
Complete installation with Finish. The Radius server is now available as a service on Windows
Server 2003.
2-88
c02.fm
2.5.3
Configuring ACS
You must add the IP address 127.0.0.1 to the list of trustworthy sites before you can open ACS
in Microsoft Internet Explorer.
2.
3.
4.
5.
6.
7.
Configuring a Switch
2-89
c02.fm
Generating Certificates
Open ACS via the Start menu. The home page opens in the browser:
Click System Configuration. The System Configuration window opens with the following selection:
2-90
c02.fm
Click ACS Certificate Setup. The ACS Certificate Setup selection window appears:
2-91
c02.fm
2-92
c02.fm
Activate "Read certificate from file" and enter the path for the "ServerCert.csr" file in the "Certificate file" field and the path for the "ServerCert.key" field in the "Private key file" field. Enter
the password you entered during generation ( page 82). Complete your inputs with Submit.
2-93
c02.fm
The server certificate has already been installed. You do not have to perform a restart yet. Click
Cancel.
2-94
c02.fm
Enter the CA certificate ( page 82) in the field and confirm with Submit.
2-95
c02.fm
2-96
c02.fm
2-97
c02.fm
2-98
c02.fm
2-99
c02.fm
Apply the settings shown for EAP-TLS and click Submit + Restart.
2-100
c02.fm
Click Network Configuration in the main column on the left. The following window appears:
Click Add Entry for AAA clients. The following mask appears:
2-101
c02.fm
The "AAA Client Hostname" is "Lab13" here, for instance. Enter all of the client addresses in
the "AAA Client IP Address" field. Enter the password shared by the Radius server and switch
in the "Shared Secret" field. Select "RADIUS (Cisco IOS/PIX 6.0)" in the "Authenticate Using"
list. Click Submit + Apply.
2-102
c02.fm
Click Group Setup in the main column on the left. The following window appears:
Select "Group 1", for instance, in the list. Click Edit Settings. The following mask appears:
2-103
c02.fm
2-104
c02.fm
Activate "[009\001] cisco-av-pair" and enter "device-traffic-class=voice" in the field so that the
telephone reaches the voice VLAN. Click Submit. The following mask appears:
2-105
c02.fm
Activate "[006] Service-Type" and select "Call Check" in the list. Activate "[012] Framed-MTU"
and enter 1500. Click Submit + Restart. The following mask appears:
2-106
c02.fm
Rename the group "Siemens IP Phones", for instance, to give it a unique name. Complete your
input with Submit.
2-107
c02.fm
Creating Users
Click User Setup in the main column on the left. It contains the following window:
Enter the name of the user here, for example, PhoneCert. It must match the common name
(CN) of the client certificate. This name was specified when you generated the client certificate ( page 83). Click Add/Edit to go to the next mask.
2-108
c02.fm
Enter PhoneCert in the fields "Real Name" and "Description". Select "ACS Internal Database"
in the list for "Password Authentication". Use the common name (CN) "PhoneCert" also for the
password. Select the "Siemens IP Phones" group you already created in the list under "Group
to which the user is assigned". Complete you input with Submit.
22. Januar 2010
IEEE 802.1x Configuration Management, Administration Manual
2-109
c02.fm
2.6
In the DLS certificates for the following server/client configurations can be administrated:
Server: DLS
Client: IP Phone
Server: RADIUS Server
Client: IP Phone
>
Certificates can only be administrated via the DLS, not via WBM or directly on the
telephone.
Please ensure that all end devices are provided with the current time via NTP server
before the certificates are deployed.
For further information please refer to the Administrator Manual
"HiPath Deployment Service".
2.6.1
Plug&Play Template
To preconfigure certificates via Plug&Play, these need to be saved in a template in DLS which
in turn needs to be part of a profile.
To import certificates in DLS, proceed as follows:
1.
Make the phone certificate available from the user certificate for DLS (see Export the User
Certificate from the Certificate Store on page 78 or Obtaining or creating Certificates on
page 9).
2.
Make the server certificate available from the root certificate for DLS (see Export the Certificate from the Certificate Store on page 70 or Obtaining or creating Certificates on
page 9).
3.
4.
5.
If a second certificate is required to enable the swap out of certificates: import the server
certificate once again from the root certificate.
6.
>
2-110
For more information on how to create the templates, refer to the chapter "Importing
Phone and RADIUS Certificates (Certificate for IEEE 802.1x)" and "Editing Templates (Generating and Managing Templates)" in the "HiPath Deployment Service"
Administration Manual.
22. Januar 2010
IEEE 802.1x Configuration Management, Administration Manual
c03.fm
3.1
Overview
A 4-phase configuration is needed to set up the plug & play feature that downloads parameters
and certificates. This section describes the 4 phases.
The creation of certificates and the RADIUS installation was described in previous sections of
this documentation.
The 4 phases are:
DHCP Configuration
3-1
c03.fm
3.2
Test environment
First of all some, here is some information about the DATA network of the test environment.
The test is done between two Catalysts 3560 (referred to as Lab 12 and Lab 11).
The XP Client, i.e. the telephone ( Supplicant), and the "Authentication Server" (Radius) are
connected to the first switch (referred to as " Authenticator" in the following sections).
The second switch is the router (Interconnection Vlan Routing connects the address ranges);
the DLS and the DHCP server are connected to this switch. The connection between the two
switches is tunneled (IEEE 802.1X-transparent).
Switch ( Authenticator)
VLAN 12
VLAN 212
Router
Vlan Interconnection
Guest Vlan 212 allowed
ACL:
3.3
DHCP Configuration
In case of a new telephone right out of the box, the only parameter known is the MAC address.
The presetting for DHCP is "on".
As the telephone does not have a certificate, and the switch is configured with IEEE 802.1X
Guest-Vlan, the telephone is after the EAP check assigned to the Guest Vlan 212 (address range 212).
During a Switch Monitoring (after a timeout) you can see that the port is assigned to Vlan 212.
3-2
c03.fm
3.4
3.4.1
Once you have opened the Deployment Service in a browser, proceed as follows:
1.
2.
Either search for an existing device profile using the search function or create a new one..
3.
On the "Templates" tab add the previously created template of the IEEE 802.1x mask
( page 110) to the selected profile.
4.
If the current profile should be the default profile, ensure that the "Default Profile" button is
activated.
5.
The configuration date in a profile is assigned to certain terminals via virtual devices. From
the DLSs point of view, these are complete devices which will later be assigned a physical
device where all the configuration parameters of the virtual device are applied to the physical device.
For the different ways to create virtual devices and to change the assignment between virtual and physical devices, please refer to the "Workpoint Autoconfiguration (Plug & Play)"
chapter in the DLS administration manual.
3-3
c03.fm
3.5
If the start address is sent following the DCHP request, the gateway address is set to
10.12.212.254 (gateway presetting for Vlan 212). Using this address the DHCP address scope
10.23.212.0 is available.
The following display shows the DHCP address pool which makes it possible to provide an IP
address (in this case 10.23.212.1) and the "DLS IP address" so that DLS can be run.
3-4
c03.fm
3.6
3.6.1
Restrictions
The test with other Radiuss like IAS or CISCO radius are not tested.
If the IAS Radius test is necessary it will be planned.
ACL list from Freeradius is out of this scope
Only one PC behind the phone is possible
If the Phone has the voice VLAN and the switch didnt received the cisco-av-pair string device-traffic-class=voice, The Cisco goes in a violation state and the port goes out of order (as
described).
The Plug and Play function can work in two different modes
The VOICE VLAN is over DHCP transmitted
MAB and EAP-TLS must be filled with Cisco-AVPair = "device-trafficclass=voice"
Not Recommended
The VOICE VLAN is over DLS transmitted
MAB without Cisco-AVPAir, EAP-TLS with Cisco-AVPair = "device-trafficclass=voice"
TRACE and Debug Freeradius are made for the Plug and play (Not recommended scenario)
3-5
c03.fm
3.6.2
Configuration
3.6.2.1
version 12.2
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Switch
!
logging buffered 65535 debugging
enable secret 5 $1$ffD2$IsDN7o4qaMWo9nTctonq61
!
username cisco password 7 01100F175804
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
clock timezone utc 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
system mtu routing 1500
ip subnet-zero
no ip domain-lookup
ip domain-name GVS.LAB
ip dhcp excluded-address 10.23.12.254
ip dhcp excluded-address 10.23.12.1 10.23.12.100
!
!
dot1x system-auth-control
no file verify auto
!
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name GVSLAB
!
!
vlan internal allocation policy ascending
3-6
c03.fm
!
!
interface FastEthernet0/1
switchport access vlan 12
switchport mode access
duplex half
spanning-tree portfast
!
.
!
interface FastEthernet0/12
switchport access vlan 112
switchport mode access
switchport voice vlan 12
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout quiet-period 20
dot1x timeout tx-period 10
spanning-tree portfast
!
.
.
!
!
interface FastEthernet0/23
switchport access vlan 12
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet0/24
description --- Trunk zu GVSLAB_r01 int fa0/14 --switchport trunk pruning vlan none
!
!
interface Vlan1
ip address 10.23.9.2 255.255.255.0
!
ip default-gateway 10.23.9.254
ip classless
ip http server
!
22. Januar 2010
IEEE 802.1x Configuration Management, Administration Manual
3-7
c03.fm
!
ip access-list extended DLSServerOnly
!
radius-server host 10.23.12.99 auth-port 1812 acct-port 1813 key 7
1213091D515A5E577E7E
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
password 7 030954090F03285857
line vty 0 4
password 7 030954090F03285857
line vty 5 15
exec-timeout 30 0
password 7 030954090F03285857
!
!
monitor session 1 source interface Fa0/12 , Fa0/19
monitor session 1 destination interface Fa0/23 encapsulation replicate ingress untagged vlan 112
ntp clock-period 36028550
ntp server 10.23.9.254
end
3-8
c03.fm
3.7
admin
3-9
c03.fm
#################################################################
# Pc 1 without certificate no authentication
003005ad48f4 User-Password == "003005ad48f4"
Service-Type == call-check,
framed-MTU = 1500
#################################################################
# Pc 2 without certificate no authentication
000476118a14 User-Password == "000476118a14"
Service-Type == call-check,
framed-MTU = 1500
#################################################################
siemens
Auth-Type := local, User-Password == "siemens"
Service-Type = Login-User,
Login-Service = Telnet,
Login-TCP-Port = 23,
Nas-Identifier = Quidway
3-10
c03.fm
3.8
3.8.1
3-11
c03.fm
3.8.2
3.8.2.1
AUTHENTICATOR
AUTO
Both
MULTI_DOMAIN
Disabled
20
30
30
3600 (Locally configured)
2
2
10
0
Enabled (EAP)
=
=
=
=
=
=
=
=
DATA
0004.7611.8a14
AUTHENTICATED
IDLE
AUTHORIZED
MAB
Authentication Server
N/A
Domain
Supplicant
Auth SM State
Auth BEND SM Stat
Port Status
Authentication Method
Authorized By
=
=
=
=
=
=
=
VOICE
0001.e326.1dfb
AUTHENTICATED
IDLE
AUTHORIZED
Dot1x
Authentication Server
3-12
c03.fm
3.9
3.9.1
3-13
c03.fm
!
interface FastEthernet0/12
switchport access vlan 112
switchport mode access
switchport voice vlan 12
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout reauth-period 15
dot1x guest-vlan 212
dot1x reauthentication
spanning-tree portfast
At this point it is necessary to enable the guest Vlan (address area 212) to receive execution
rights on the DHCP and DLS server.
The Vlan interconnection is created in the router. An ACL is generated to assign only execution rights for the DLS (10.23.11.140) and the DHCP (bootps and bootpc) to the guest Vlan.
The setting dot1x Host mode Multi Host and an 802.1X client authenticated at the first
VLAN client indicates that other clients are possible without restriction on the "voice VLAN" if
802.1X authentication was successful on the first VLAN.
/1/
If you set dot1x host-mode Single Host, only one 802.1X client is permitted on the
first VLAN; other devices are blocked.
If you set dot1x host-mode Multi-Domain, the telephone and PC must authenticate themselves individually.
Ensure that port-control is set to "auto".
GVSLAB_r01#show run
Building configuration...
!
interface Vlan212
ip address 10.23.212.254 255.255.255.0
ip access-group PermitDLSServerOnly in
ip helper-address 10.23.11.140
!
ip access-list extended PermitDLSServerOnly
permit ip 10.23.212.0 0.0.0.255 host 10.23.11.140
permit ip 10.23.212.0 0.0.0.255 host 10.23.12.1
permit udp any any range bootps bootpc
!
3-14
c03.fm
3.9.2
M M A T R I X
N 1
P L A T I N U M
Command Line Interface
Enterasys Networks, Inc.
50 Minuteman Rd.
Andover, MA 01810-1008 USA
Phone: +1 978 684 1000
E-mail: [email protected]
WWW:
http://www.enterasys.com
(c) Copyright Enterasys Networks, Inc. 2007
Chassis Serial Number:
06125174630P
Chassis Firmware Revision: 05.42.06
Matrix N1 Platinum(su)->show config
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
begin
# ***** NON-DEFAULT CONFIGURATION *****
# ip
set ip address 10.23.9.96 mask 255.255.255.0
set ip route default 10.23.9.254
# arp
# authentication
# banner
# cdp
# cep
# ciscodp
# cli
# console
# cos port-config
# cos port-resource
# cos reference
# cos settings
# cos state
# dot1x
set dot1x enable
set dot1x auth-config authcontrolled-portcontrol forced-auth fe.1.1
set dot1x auth-config reauthperiod 120 fe.1.7
set dot1x auth-config reauthperiod 120 fe.1.8
set dot1x auth-config reauthperiod 120 fe.1.11
set dot1x auth-config reauthperiod 120 fe.1.12
set dot1x auth-config reauthenabled true fe.1.7-8,11-12 ***** Ports Guest *******
# flowlimit
# forcelinkdown
# garp
# gvrp
# history
3-15
c03.fm
# history
# igmp
# inlinepower
# lacp
set lacp disable
# length
# license
# line-editor
# linkflap
# lldp
# logging
set logging application RtrAcl level 8
set logging application CLI level 8
set logging application SNMP level 8
set logging application Webview level 8
set logging application System level 8
set logging application RtrFe level 8
set logging application Trace level 8
set logging application RtrLSNat level 8
set logging application FlowLimt level 8
set logging application UPN level 8
set logging application AAA level 8
set logging application Router level 8
set logging application AddrNtfy level 8
# logout
# mac
# macauthentication
set macauthentication enable
set macauthentication password demo
set macauthentication port enable fe.1.11-12
set macauthentication quietperiod 30 fe.1.11-12
set macauthentication reauthperiod 120 fe.1.11-12
set macauthentication reauthentication enable fe.1.11-12
# maclock
# mgmt-auth-notify
# movedaddrtrap
# mtu
# multiauth
set multiauth mode multi
set multiauth precedence dot1x mac pwa cep
set multiauth port mode auth-reqd fe.1.12
************ Authentication is always required ***********
# netflow
# newaddrtrap
# nodealias
# physical
3-16
c03.fm
# policy
set policy profile 1 name "allow access voice" pvid-status enable pvid 12 (Voice VLAN)
set policy profile 2 name "allow access data" pvid-status enable pvid 112 (DATA VLAN)
set policy profile 3 name "allow access guest" pvid-status enable pvid 212 (GUEST VLAN)
set policy rule admin-profile port fe.1.7 mask 16 port-string fe.1.7 admin-pid 3
set policy rule admin-profile port fe.1.8 mask 16 port-string fe.1.8 admin-pid 3
set policy rule admin-profile port fe.1.11 mask 16 port-string fe.1.11 admin-pid
3
set policy rule admin-profile port fe.1.12 mask 16 port-string fe.1.12 admin-pid
3
***** Port 7,8, 11 and 12 should use Profile 3, i.e. go to the guest VLAN. ****
set policy autoclear enable
set policy autoclear profile enable
set policy maptable response both
!
# port
set port mirroring create fe.1.11 fe.1.2 both
set port mirroring create fe.1.12 fe.1.2 both
set port mirroring disable fe.1.12 fe.1.2
set port vlan fe.1.2 12 ******************************
set port vlan fe.1.7 12
set port vlan fe.1.8 12
assihn to VLAN 12 = VOIC VLAN
set port vlan fe.1.11 12
set port vlan fe.1.12 12 *******************************
# prompt
# pwa
set pwa enable
set pwa enhancedmode enable
set pwa gueststatus authnone
set pwa protocol chap
set pwa portcontrol enable fe.1.12
# rad
# radius
set radius enable
set radius server 1 10.23.12.99 1812 :dcf48ed62c5bfb984158d7648a9cfed2f325fbb7:
# rmon alarm
# rmon capture
# rmon channel
# rmon event
# rmon filter
# rmon history
# rmon host
# rmon matrix
# rmon stats
# rmon topN
# router
# smon
3-17
c03.fm
# snmp
set snmp access groupRW security-model v1 exact read All write All notify All
set snmp access groupRW security-model v2c exact read All write All notify All
set snmp community public
set snmp group groupRW user public security-model v1
set snmp group groupRW user public security-model v2c
set snmp view viewname All subtree 1
set snmp view viewname All subtree 0.0
# sntp
# spantree
# ssh
# summertime
# system
set system login enterasys read-only disable password :c8f6b8ae63473088dcf9c7e80
0a245d445b50d62:
set system login mobility read-only disable password :29c6bff7ed3e5e334a43253c13
6cb9a8c5a40cb9:
# tacacs
# telnet
# timezone
# vlan
set vlan create 12,112,212 *********** Create VLAN *************
set vlan name 12 VOICE
set vlan name 112 DATA
set vlan name 212 GEST *********************************************
clear vlan egress 1 fe.1.2,7-9,11-12
set vlan egress 1 lag.0.1-48;host.0.1;fe.1.1,3-6,10,13-48 untagged
set vlan egress 12 fe.1.1,11-12 tagged ******* sign port 12 to tagged VLAN 12 *********
set vlan egress 12 fe.1.2,7-9,13 untagged
set vlan egress 112 fe.1.1 tagged
set vlan egress 112 fe.1.7-9,11-13 untagged ****** sign port 12 to untagged VLAN 112 **
set vlan egress 212 fe.1.1 tagged
set vlan egress 212 fe.1.11-12 untagged ****** sign port 12 to untagged VLAN 212 *******
set vlan dynamicegress 12,112,212 enable
******** fe 1.1 is the connection to the router ****************
# vlanauthorization
# webview
# width
end
3-18
c03.fm
3.9.3
running configuration:
; J8164A Configuration Editor; Created on release #H.10.50
hostname "ProCurve Switch 2626-PWR"
vlan 1
name "DEFAULT_VLAN" ( Guest Vlan for unauthorized access)
untagged 25-26
ip address 192.168.1.20 255.255.255.0
no untagged 1-24
exit
vlan 202
name "voiceVlanSN2" ( Voice Vlan for Phones )
ip address 192.168.6.2 255.255.255.0
tagged 1-26
exit
vlan 2 ( Data Vlan for PCs )
name "Testust1"
untagged 1-24
ip address 192.168.2.2 255.255.255.0
tagged 25
exit
aaa authentication port-access eap-radius Configuration 802.1x Authentication Method:
eap-radius)
radius-server host 192.168.1.2
radius-server key global_key_string
aaa port-access authenticator 14,17-18,20 Ports 14, 17,18,20 made available for 802.1x
authentication.
aaa port-access authenticator 14 reauth-period 3600 authentication checked after 1 hour.
aaa port-access authenticator 14 unauth-vid 1 Clients on port 14 which cannot be authentication only have access to the guest Vlan with acess to the DLS. (Certified download)
aaa port-access authenticator 14 client-limit 3 Number of permitted authenticated devices. (on our 2626-PWR with FW H.10.50 3 must be entered here if 2 devices (phone and
PC) should be ensured access)
aaa port-access authenticator 17 reauth-period 3600 No guest VLAN is configured on port
17 as a PC is connected behind the phone.
aaa port-access authenticator 17 client-limit 3
aaa port-access authenticator 18 reauth-period 3600
aaa port-access authenticator 18 unauth-vid 1
aaa port-access authenticator 18 client-limit 3
aaa port-access authenticator 20 reauth-period 3600
aaa port-access authenticator 20 unauth-vid 1
aaa port-access authenticator 20 client-limit 3
aaa port-access authenticator active Activate the 802.1x authentication
3-19
c03.fm
3-20
bkIX.fm
Index
Index
A
Access Rights 48
Active Directory 17
Group 45
User 38
Allow access 43
C
CA certificate 67
Certificate
download, create 9
Formats 14
Sample 15
Certificate Authority 9, 30
certificate chain 67, 68
Certificate Export 70
Certificate Services 9, 28
Certification Authority Service 66
Certification Type 29
D
DNS Host 49
E
EAP Configuration 56
EAP Methods 64
EAP Type 61
Enterprise root CA 29
F
flow chart 4
FreeRADIUS
installation 7
I
IAS 35
IEEE 10
IIS 26
Internet Authentication Service 36
Internet Information Services 26
22. Januar 2010
IEEE 802.1x Configuration Management, Administration Manual
Z-1
bkIX.fm
Index
L
Linux 9.0 1, 6
O
OpenSSL
Instllation 6
R
RADIUS Client 52, 53
Remote Access Policy 57
Request a Certificate 71
Root Certificate 67, 70
S
Server for TLS 12
T
TLS
Server 12
U
User Certificate 71, 72, 77
Z-2
bkglos.fm
Glossary
Glossary
ACL
Abbreviation of Access List. This is a list of restrictions for the Guest Vlan.
Authenticator
An "Authenticator" in the context of IEEE 802.1X is a Network Access Server acting as a bouncer in a RAS solution. Clients (called "supplicants") apply for access, and the authenticator decides whether to grant or deny access after consultation with a central authentication server
using the RADIUS protocol.
Auto-Enrollment
Available since Windows Server 2003. Introduces the capability for automatically requesting
and distributing certificates if this is necessary according to the policies.
CA
see Certificate Authority
Certificate Authority
A Certificate Authority (in short: CA) is an organization which issues digital certificates. In IT, a
digital certificate is basically the equivalent to a passport and is used verify that a public key
belongs to an individual or an organization. This assignment is certified by the CA by signing
the certificate with its own signature.
Certificates comprise "keys" and additional information required for authentication as well as
encryption/decryption of sensitive or confidential data sent through the internet or other networks. Additional information may be expiry dates, references to certificate revocation lists, etc.
and are included into the certificate by the CA.
The basic task of a CA is to issue and verify these digital certificates. The CA is responsible for
providing, assigning and checking the integrity of the certificates. Therefore it is an important
part of the public key infrastructure.
A Certificate Authority may be a specific company (e.g. GlobalSign / Cybertrust, VeriSign) or
an institution within a company that has installed their own special server (e.g. the Microsoft
Certificate Server). Public organizations or federal agencies may also act as CAs (e.g. the Federal Network Agency in Germany).
X-1
bkglos.fm
Glossary
EAP
EAP (Extensible Authentication Protocol) facilitates using a wider variety of authentication protocols and thus making unauthorized acces even more difficult.
EAPOL
The Extensible Authentication Protocol Over LAN (EAPOL, defined in IEEE 802.1X) is a transport protocol for EAP, encapsulating EAP packets. With EAPOL, EAP can also be used in heterogeneous WAN environments.
EAP-TLS
EAP-TLS is a mutation of EAP processing EAP communications via a secure TLS connection.
It can also be used for generating WEP keys and thus protect a WLAN.
EAP-TTLS
EAP-TTLS is a mutation of EAP-TLS. In addition to enabling authentication via certificates (as
does EAP-TLS), EAP-TTLS also allows the use of other EAP methods such as MD5 Challenge
and One-Time Password.
Entity
In information technoloy an entity (synonym: information object) is a uniquely defined object to
which information is assigned. The objects can be tangible (e.g. Mount Kilimandjaro) or intangible (e.g. Department RK12 of a company Demo-AG).
Each entity (the individual object) is assigned to an entity type - in the examples above "mountain" and "department". Entities are concrete occurrencies of an entity type. Sometimes the
proper term "entity type" is misused for "entity" (the individual occurrence of an entity type);
however, in most cases it is clear from the context whether the term refers to the individual object or the object type.
Individual entities of the same entity type are grouped to entity sets. The entities within an entity
set differ from each other by their properties (attribute values).
Each entity of a certain entity type can be differentiated from other entities of the same entity
type by a unique value of an attribute (e.g. the vehicle identification number for a speific car or
the ISBN number for a specific book).
An entity may be in relationship with other entities as well as with itself.
For more information about the Entity Relationship Model please refer to detailed documentation available through relevant sources (e.g. search in Google).
Entity types are e.g.
X-2
bkglos.fm
Glossary
IIS
HTTP server provided by Microsoft
PING
Abbreviation for "Packet Internet Groper".
In this case an Echo Request Packet is sent to the target address. If the target supports the
protocol and if it is available, it returns an Echo Reply.
Public Key Infrastructure (PKI)
Provides an arrangement for using public keys and is a combination of software, encryption
technologies and services. A PKI should provide the following functions:
Certifcation Authorities (see Certificate Authority) that can issue and revoke certificates;
Certificate Publishers where certificates are stored and can be looked up;
RADIUS
RADIUS is a protocol used for authentication in distributed RAS solutions. It facilitates the exchange of authentication, authorization and configuration data between a central authentication server and the decentralized Network Access Servers (NAS), working as clients of the RADIUS server. If a user works remotely and connects to the NAS, the NAS requests username,
password, NAS-ID and Port-ID. It then verifies the information (and, if necessary, the requirements for the session and the service ports) using the RADIUS database. Thus, for each user
the use of higher IP protocols can be allowed or denied individually and to centrally manage all
of this.
Supplicant
In the context of IEEE 802.1X, a "supplicant" is a client requesting access to a network at an
Authenticator.
X-3
bkglos.fm
Glossary
Wrapper
In general a program acting as the interface between the calling and the "wrapped" program
code. Wrappers can be used e.g. for compatibility reasons if the wrapped code uses a different
programming language; for security reasons, i.e. to restrict or expand access; or for emulation
purposes. A program initially written for DirectX can thus be modified to e.g. use OpenGL for
graphics.
X-4
bkabk.fm
Abbreviations
Abbreviations
Definition
CA
Certificate Authority
DHCP
DLS
DNS
EAP
EAPOL
FTP
IAS
IETF
IIIS
IP
Internet Protocoll
PEAP
PKI
RFC
TAP
TLS
TTLS
VID
VLAN
Virtual LAN
Y-1
bkabk.fm
Abbreviations
Y-2